building-secure-contracts
💡 摘要
一个全面的智能合约安全工具包,具有专业的漏洞扫描器和开发指南。
🎯 适合人群
🤖 AI 吐槽: “看起来很能打,但别让配置把人劝退。”
风险:Medium。建议检查:是否发起外网请求(SSRF/数据外发);API Key/Token 的获取、存储与泄露风险。以最小权限运行,并在生产环境启用前审计代码与依赖。
Building Secure Contracts
Comprehensive smart contract security toolkit based on Trail of Bits' Building Secure Contracts framework.
Author: Omar Inuwa
Overview
This plugin provides 11 specialized skills for smart contract security across multiple blockchain platforms:
- 6 Vulnerability Scanners for platform-specific attack patterns
- 5 Development Guidelines Assistants for secure development practices
Installation
/plugin install trailofbits/skills/plugins/building-secure-contracts
Vulnerability Scanners
Platform-specific vulnerability detection based on Trail of Bits' Not So Smart Contracts repository.
Algorand Vulnerability Scanner
Skill: /algorand-vulnerability-scanner
Scans Algorand/TEAL codebases for 11 vulnerability patterns including:
- Rekeying vulnerabilities
- Unchecked transaction fees
- Asset closing issues
- Group size checks
- Time-based replay attacks
- And 6 more patterns
Cairo Vulnerability Scanner
Skill: /cairo-vulnerability-scanner
Analyzes StarkNet/Cairo smart contracts for 6 vulnerability patterns:
- Arithmetic overflow/underflow
- Reentrancy
- Uninitialized storage
- Authorization bypass
- And 2 more patterns
Cosmos Vulnerability Scanner
Skill: /cosmos-vulnerability-scanner
Detects security issues in Cosmos SDK modules for 9 patterns:
- Undelegation time validation
- Amount validation
- Unbonding validation
- Rounding issues
- And 5 more patterns
Solana Vulnerability Scanner
Skill: /solana-vulnerability-scanner
Scans Solana/Anchor programs for 6 critical vulnerabilities:
- Arbitrary CPI
- Improper PDA validation
- Missing ownership checks
- Signer authorization
- And 2 more patterns
Substrate Vulnerability Scanner
Skill: /substrate-vulnerability-scanner
Analyzes Substrate pallets for 7 security issues:
- BadOrigin handling
- Insufficient weight
- Panics on overflow
- Unsigned transaction validation
- And 3 more patterns
TON Vulnerability Scanner
Skill: /ton-vulnerability-scanner
Detects vulnerabilities in TON smart contracts for 3 patterns:
- Replay protection
- Unprotected receiver
- Sender validation issues
Development Guidelines Assistants
Based on Trail of Bits' Development Guidelines.
Audit Prep Assistant
Skill: /audit-prep-assistant
Prepare your codebase for security reviews with a comprehensive checklist:
- Set review goals - Define objectives and concerns
- Resolve easy issues - Run static analysis (Slither, dylint, golangci-lint)
- Ensure accessibility - Build instructions, frozen commits, scope clarity
- Generate documentation - Flowcharts, user stories, glossaries
Use this: 1-2 weeks before your audit to maximize review effectiveness.
Code Maturity Assessor
Skill: /code-maturity-assessor
Systematic code maturity evaluation using Trail of Bits' 9-category framework:
- Arithmetic safety
- Auditing practices
- Authentication/Access controls
- Complexity management
- Decentralization
- Documentation quality
- Transaction ordering risks
- Low-level manipulation
- Testing and verification
Output: Professional maturity scorecard with evidence-based ratings and improvement roadmap.
Guidelines Advisor
Skill: /guidelines-advisor
Comprehensive development best practices advisor covering:
- Documentation & Specifications - Generate system descriptions and architectural diagrams
- Architecture Analysis - Optimize on-chain/off-chain distribution
- Upgradeability Review - Assess upgrade patterns and delegatecall proxies
- Implementation Quality - Review functions, inheritance, events
- Common Pitfalls - Identify security anti-patterns
- Dependencies - Evaluate library usage
- Testing - Suggest improvements
Use this: Throughout development for architectural and implementation guidance.
Secure Workflow Guide
Skill: /secure-workflow-guide
Interactive 5-step secure development workflow:
- Known Security Issues - Run Slither with 70+ detectors
- Special Features - Check upgradeability, ERC conformance, token integration
- Visual Inspection - Generate inheritance graphs, function summaries, authorization maps
- Security Properties - Document properties, set up Echidna/Manticore
- Manual Review - Analyze privacy, front-running, cryptography, DeFi risks
Use this: On every check-in or before deployment for continuous security validation.
Token Integration Analyzer
Skill: /token-integration-analyzer
Comprehensive token security analysis for both implementations and integrations:
- ERC20/ERC721 Conformity - Validate standard compliance
- Contract Composition - Assess complexity and SafeMath usage
- Owner Privileges - Review upgradeability, minting, pausability, blacklists
- 20+ Weird Token Patterns - Check for non-standard behaviors (missing returns, fee-on-transfer, rebasing, etc.)
- On-chain Analysis - Query deployed contracts for scarcity and distribution
- Integration Safety - Verify defensive patterns and safe transfer usage
Use this: When building tokens or integrating with external tokens.
Skill Organization
building-secure-contracts/
├── not-so-smart-contracts-scanners/
│ ├── algorand-vulnerability-scanner/
│ ├── cairo-vulnerability-scanner/
│ ├── cosmos-vulnerability-scanner/
│ ├── solana-vulnerability-scanner/
│ ├── substrate-vulnerability-scanner/
│ └── ton-vulnerability-scanner/
└── development-guidelines/
├── audit-prep-assistant/
├── code-maturity-assessor/
├── guidelines-advisor/
├── secure-workflow-guide/
└── token-integration-analyzer/
Example Workflows
Pre-Audit Preparation
- Run
/secure-workflow-guideto ensure clean Slither report - Use
/code-maturity-assessorto evaluate overall maturity - Run
/audit-prep-assistantto prepare documentation and checklist - Share prepared package with auditors
Platform-Specific Security Review
- Run appropriate vulnerability scanner for your platform
- Use
/guidelines-advisorfor implementation best practices - Run
/secure-workflow-guidefor comprehensive security checks - Address findings and re-scan
Token Development/Integration
- Run
/token-integration-analyzerfor conformity and weird patterns - Use
/guidelines-advisorfor token-specific best practices - Run
/secure-workflow-guidefor complete validation - Deploy with confidence
Continuous Security
- Run
/secure-workflow-guideon every check-in - Use platform scanner for vulnerability detection
- Monitor code maturity with
/code-maturity-assessor - Maintain documentation with
/guidelines-advisor
Tool Integration
Many skills leverage security tools when available:
- Slither - Static analysis for Solidity (70+ detectors, visual diagrams, upgradeability checks)
- Echidna - Property-based fuzzing
- Manticore - Symbolic execution
- Tealer - Static analyzer for TEAL/PyTeal
- Web3/Ethers - On-chain queries for deployed contracts
Note: Skills gracefully adapt when tools are unavailable, performing manual analysis instead.
Source Material
This plugin is based on Trail of Bits' open-source security resources:
Related Skills
- audit-context-building - Build deep architectural context before vulnerability hunting
- issue-writer - Transform findings into professional audit reports
- solidity-poc-builder - Build proof-of-concept exploits for Solidity vulnerabilities
Support
For questions or issues:
- Trail of Bits Office Hours - Every Tuesday
- Empire Hacking Slack - #crytic and #ethereum channels
优点
- 覆盖多个区块链平台的全面性。
- 包括漏洞扫描和开发指南。
- 促进持续的安全验证。
缺点
- 可能需要熟悉多个工具。
- 复杂性可能会让新用户感到不知所措。
- 依赖外部工具以实现完整功能。
相关技能
免责声明:本内容来源于 GitHub 开源项目,仅供展示和评分分析使用。
版权归原作者所有 trailofbits.